This guide is intended at aiding users that want to install Linux LMDE on their system with whole disk encryption, that is, everything on the system is encrypted on-the-fly and transparently to the user, except for a small boot partition that will be used to start everything else. As a side bebefit, we will also install Mint on top of LVM volumes.

It is assumed that the user following this guide is acquainted with the command line, and with the concepts involving the procedures outlined here. For you to be able to perform the guide you need the computer you will be working on with an Internet connection, the installation media, and some sort of removable media (e.g. usbstick, external hard disk, etc, big enough to hold a Mint installation) that is recognized by the system as a regular disk (e.g. sd*, hd*, also note that this is only due to limitations on the installer).

WARNING: beginners, be aware that following this guide blindly will irrevocably destroy all your data!

Have said that, one can never stress too much how important is to have all your important data backed up properly before following procedures such as the one described herein.

2. Preparing the disks

First you need to prepare your disks to be encrypted, and although this step is a very tedious one, it is crucial to have your disk properly sanitized before you proceed, or you risk having residual data disclosed.

To satinitize the disk you will be installing Mint LMDE into (assumed as sda in this guide), first boot your Mint installation media, and open up a terminal (Menu -> Terminal), and type the following to become root:

You can sanitize your disk by a variety of methods, I've personally used plain old dd, but I've also heard of a good tool called shred that is also included in Mint's installation disk. To wipe everything with dd, run the following a couple of times (the more passes you make, the more securely your hard disk will be sanitized):

This will get dd running on the backgroung, you will notice some activity on the disk. This will take a longe time that depends primarily on the size of your disk (it took me one and a half day per pass on a 250 GB disk). You can see dd status by issuing the following command to the terminal:

One great tool for creating the partitions is cfdisk, which comes preinstalled with Mint. It is very intuitive and ease to use, you choose the command to be performed with 'Enter', and navigate between the commands and partitions with the arrow keys; I'm sure you will find your way If cfdisk complains about an unknown partition table type, choose to start with a zero table. Don't forget to write the changes to the disk after editing the partition table. You can start cfdisk with:

Next, you should install Mint to the removable media you have handy (assumed here as being sdb). Before initiating the installer you should use cfdisk once more to create one single big partition on the device (named sdb1). Create it primary, occupying the whole disk, bootable flag set, type Linux:

Use the regular Mint installer to install to it on the removable device as you would regularly install it onto your hard disk. Once asked where to install the grub boot loader, choose /dev/sdb. Don't reboot the computer once the install is finished.

After finishing the procedure outlined here the device can be used as a persistent Mint live media, like a recovery media for example, or you can just delete this intermediate Mint install.

4. Setting up LUKS encryption and Logical Volume Management

Before proceeding, we must install the relevant utilities on the installation media.

Next, we set up encryption on the big partition we created earlier on the target computer disk. You can use different ciphers, modes of encryption and/or key-sizes, but these ones are pretty good defaults. Also, be sure to choose a sufficiently long passphrase, preferably with upper case, lower case, special symbols and punctuation. Keep in mind that if you forget your passphrase you will have to crack it or your data will be lost forever, so choose a passphrase that you can remember.

Now we can add the logical volumes to the setup. The logical volumes are the containers that will hold the file systems, so you can imagine them as being more or less like standard partitions, but with a lot more flexibility. The partitioning scheme is a subject of much debate, and I won't get into it in this guide. The scheme shown here is just for informational purposes, and shouldn't be regarded as being accurate in any manner. If you want further advice I'd suggest the Debian Installer Guide (http://www.debian.org/releases/stable/i386/apc.html.en) as a great resource on this subject (and many others).

To illustrate the procedure in this guide, we will be setting up five different volumes, for the following mount points: swap, /, /var, /usr and /home. Note that there is one further mount point that we will be using (namely /boot), but that will reside on it's own partition. You can adapt to your own needs (note the lowercase 'l' in the last command, this is to illustrate some of the possible syntax the command accepts):

We had to make an intermediate Mint install earlier because the default installer won't recognize the LVM volumes we had just set up. So we will use this install as the source to our final Linux Mint install. First we set up some mount points:

Nope, we haven't taken this step yet. Earlier we installed LUKS and LVM on the live installation media, now we're installing it on the target system. You remember that, right?

After installing the tools, we need to set some configuration files up, so that the system know how to properly boot once we finish fixing it. First, create the map for the encrypted partition on /etc/crypttab:

For the setup we have used here, the following fstab is a valid one. Use it as a template, and adapt it to your own needs. Be sure to remove the entries that were added by Mint installer when we made the intermediate install:

# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
dm-crypt
aes-x86_64 # if you're installing on a 32-bit architecture, set to aes-i586
xts
sha256_generic
sha512_generic
ahci # needed because of my sata controller, set yours accordingly

Now cross your fingers, remove the installation media, the removable device on which you did the intermediate install and reboot your system. When your system starts, it should ask you for the LUKS password you had set up earlier. Type it after the following prompt, nothing should be echoed back to the screen, this is normal behaviour:

Hi CyL, thanks very much for your guide - it definitely worked the best out of the three I've tried so far. I do have a couple of questions however...

1. In step 6, the "mount the remaining virtual file systems" section, I got an error trying to mount tmpfs, and was not able to do so.
2. In the final unmounting steps, when I tried "umount target" I got an error message saying target didn't exist.
Changes I made to your instructions, for my own circumstances:
1. I only created one volume inside the encrypted partition, and assigned it to root - so the only "lvcreate" I did in step 4 was for "root".
2. before both "aptitude update" steps, I updated /etc/apt/sources.list to reflect the new repositories for update pack 3.

regardless, I was able to finish the install and boot into my new encrypted system.

However, now the problem I'm having is that changes to grub.cfg seem to be ignored by the system. when I do "sudo update-grub", i get:

...but, grub.cfg is generated. However, it's then ignored - the only entries in the new grub.cfg are for the 3.0.0 kernel that update pack 3 installs, BUT upon boot, the only menu items are for the older 2.6.29 kernel! Can you tell me why this is, and where grub is looking?

/usr/sbin/grub-probe: error: no such disk.
Auto-detection of a filesystem of /dev/mapper/vg-root failed.
Try with --recheck.
If the problem persists please report this together with the output of "/usr/sbin/grub-probe --device-map="/boot/grub/device.map" --target=fs -v /boot/grub" to <bug-grub@gnu.org>

...and strangely enough I see no core.img in /boot/grub . Do you have an idea as to what's going on?

Okay, I believe I figured it out. I had added "discard" to the mount options in /etc/fstab for both partitions (I'm doing this on an ssd) but ext2 doesn't support "discard". So, during boot /dev/sda1 wasn't getting mounted at /boot, and linux adds a new /boot directory instead, which is the only one that can be seen after booting. Glad I could solve it!

Here's a more detailed list of comments on the original guide, now that I am at a point where everything appears to work correctly:

0. I skip the overwriting with /dev/urandom as I'll be filling the disk with data anyway after install.
1. At the beginning of step 4, I edit /etc/apt/sources.list to conform with the new recommendations for LMDE udpate pack 3: http://blog.linuxmint.com/?p=1836
2. I use the defaults for luksFormat rather than the --cipher and --key-size options listed.
3. the only lvcreate I do is "lvcreate -n root -l 100%FREE vg" asI'm just mounting the entire encrypted partition as root. I get a warning that "/dev/vg/root" should have been created by udev but it was not found" but the command completes regardless.
4. similarly, I only run the first two "mkfs" lines listed, as I haven't created any other volumes.
5. in /mnt/target, I make a subdir for boot but not any others. and, within /mnt/target, I mount /dev/sda1 at boot, but no others.
7. in step 6, I skip the "swapon /dev/mapper/vg-swap" part.8. ERROR: the "mount -t tmpfs tmpfs /dev/shm" line produces an error "mount: too many levels of symbolic links" and the operation fails. I proceed anyway.
9. Again in the chrooted envrinoment, I edit /etc/apt/sources.list to conform with the new recommendations for LMDE udpate pack 3.
10. when editing fstab, I remove all but three lines for /boot, /, and proc. I add "noatime" to the options for /boot, and "noatime,discard" to the options for / .
11. I keep all recommended modules in /etc/initramfs-tools/modules , though I suspect I don't need all. ONE IMPORTANT THING! I get errors on boot if I don't remove the comments from the aes-x86_64 and ahci module lines.
12. During the unmounting steps, I skip the dev/shm part as I wasn't able to successfully mount it originally. I also skip umounting usr, var, home, and turning swap off as I never mounted them in the first place.13. ERROR: the "umount target" command fails with "umount: target: not found". At this stage of the install I'm still in the /mnt/target directory; if I do cd .. first and then try unmounting, I get "device is busy" and another failure. lsof and fuser don't give me info I understand, about squashfs filesystems and stale NFS handles. So, I skip this and continue.
14. ERROR: the "vgchange -a n" command fails with "can't deactivate volume group".

Hopefully this is helpful - cheers. I'm happy with my new system, thanks again for the howto.

I got the "too many levels of symbolic links" error. I decided to fix it by copying /var/run/shm to /mnt/var/run/ before chrooting, though.

I also had to remove the comments from the /etc/initramfs-tools/modules lines.

I also had problems unmounting a few things, and lsof/fuser weren't much help. In that end, I did a few syncs, waited around, did a few syncs, kept getting errors...and said, "screw it." I used umount -l and rebooted.

Unfortunately, I ultimately get the same results with this guide as I do with hashstat's (http://forums.linuxmint.com/viewtopic.p ... it=encrypt*): The boot process looks for my LVM volume group before trying to unlock my drive, so it can't find my volumes. Unless I add some extra steps, the boot scripts never even try to decrypt my drive. If I do add some extra steps (such as creating a /etc/initramfs-tools/conf.d/cryptroot file), the boot routine unlocks my drive only after failing to find the LVM volumes.

1) I did not refer to the encrypted partition by simple number (/dev/sdaN) but instead by UUID (/dev/disk/by-uuid/...). This is very important if you ever delete other partitions because the simple number N may change. This will then break your boot process.

3) I added a kernal command to "/etc/default/grub":
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/...:systemCrypt"

4) After mounting the new root and boot partitions and editing fstab I chroot'ed into the new root and ran:
# update-initramfs -u
# dpkg-reconfigure-grub-pc

Then rebooted.
If you see an eclectic error message like "evms_activate is not available" it probably means the encrypted partition cannot be located. Check you've got the UUIDs right. The UUID is the one for the partition that you see when you run "sudo blkid".

1. The cleaner way of using UUIDs is to refer to the partition by UUID=... instead of /dev/disk/by-uuid/...
2. You should not need to edit /etc/crypttab because that happens automatically when you use cryptsetup.
3. I'm intrigued by you adding a kernal option in /etc/default/grub, because that should not be necessary, initrd takes care of this automatically.